Re: ?hack cause?

From: Rex Monty di Bona (rex@comsmiths.com.au)
Date: 03/26/02


Date: Wed, 27 Mar 2002 06:31:36 +1100
From: Rex Monty di Bona <rex@comsmiths.com.au>
To: focus sun mailling list <focus-sun@securityfocus.com>

Mike P wrote:
>
> In-Reply-To: <15519.31424.834354.758874@gargle.gargle.HOWL>
>
> Andy,
> I would search for root kits first. Try
> http://www.chkrootkit.org/. Hopefully, you run tripwire
> or something like it.
>
> Mike
> mike@phasa.org

Even if you don't run tripwire you can do a basic tripwite
test against another machine. Build a data base against a
machine running same OS release/patches that doesn't include
time stamps or inode number, so record owners, sizes, perms,
checksums, number of links and compare this to the affected
machine (booted from alternate media in both cases incase
the libraries are corrupted on the questionable machine).
There will probably be lots of false alerts depending on
additional packages installed, so it takes a while to read
the output. But, it does tell you if the machine is clean
or not.

The other choice is to use the sunsolve fingerprint database
and check things like inetd, csmd, etc. I'd probably do this
to thinks that looked doubtful from a tripwire scan.

                                        Rex.